For defense contractors, Cybersecurity Maturity Model Certification (CMMC) is a requirement for securing government contracts. With three levels outlined by the Department of Defense (DoD), many organizations find themselves unsure about which level applies to them and whether they can self-assess or need a Certified Third-Party Assessor Organization (C3PAO). This guide outlines CMMC Level 1, providing clarity on its requirements and helping you determine the right level for your business. 

What is CMMC? 

CMMC is designed for defense contractors and subcontractors within the Defense Industrial Base (DIB) who manage Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC 2.0, finalized in December 2024, streamlines the framework into three levels of compliance, each tailored to the sensitivity of the information being handled:   

• Level 1 (Foundational): Focuses on basic cybersecurity practices for organizations handling FCI. Compliance is demonstrated through annual self-assessments.   
• Level 2 (Advanced): Designed for organizations managing CUI, this level aligns with the 110 practices outlined in NIST SP 800-171. CUI handlers require third-party assessments every three years.   
• Level 3 (Expert): Reserved for the most sensitive programs, this level incorporates additional requirements from NIST SP 800-172 on top of CMMC Level 2 certification and mandates direct assessments by the DoD.   

Who needs CMMC Level 1? 

Organizations can pursue Level 1 over Level 2 certification if their DoD contracts do not require them to handle CUI. Since certification levels are strictly determined by data types rather than organization size, Level 1 is the standard for businesses or subcontractors who do not handle higher categories of DoD information but are still critical for overall supply chain security — especially those that provide goods or services that do not involve sensitive or classified defense data. 

The key determinant in choosing Level 1 is the nature of the information you access: Level 1 is designed for companies that only need to meet the minimal threshold of protecting FCI. However, if your business objectives evolve, and you anticipate handling CUI or expanding into more sensitive DoD projects, you may consider preparing for Level 2 to facilitate future growth. 

Ultimately, the decision to pursue Level 1 compliance or Level 2 certification depends on your current needs and long-term business goals. 

Understanding CMMC Level 1 

CMMC Level 1 is considered the baseline for organizations looking to work with the DoD and is referred to as the “Foundational” level. Its core objective is to ensure companies have established basic cyber hygiene practices to protect FCI — which is information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service. It does not include information provided by the government to the public (such as on public websites) or simple transactional details like payment information.  

Unlike Level 2 and above, which address CUI with advanced controls, Level 1 focuses on preventing common cyber threats like phishing, basic malware, or unauthorized access. 

To meet Level 1, organizations must implement the 17 security controls outlined in Federal Acquisition Regulation (FAR) 52.204-21. The 17 requirements fall into six key domains: 

• Access control: Restrict system and information access to authorized users only. 
• Identification and authentication: Verify user identities before granting system access. 
• Media protection: Safeguard and securely dispose of media (e.g., USB drives, hard drives) containing FCI. 
• Physical protection: Restrict physical access to systems and equipment to authorized personnel. 
• System and communications protection: Control and monitor communications at system boundaries. 
• System and information integrity: Detect and address system vulnerabilities promptly. 

Unlike higher CMMC levels, Level 1 does not require extensive documentation of processes. Instead, it focuses on the actual performance of these essential security practices. Organizations seeking Level 1 compliance are permitted to conduct an annual self-assessment, making it a more accessible and cost-effective path for businesses that handle FCI but do not manage sensitive CUI data. 

When do you need a C3PAO? 

It’s important to understand when the involvement of a C3PAO becomes necessary within the CMMC framework. A C3PAO is an accredited firm authorized by The Cyber AB to conduct official CMMC assessments for higher certification levels such as Level 2. For organizations pursuing Level 1 certification, the self-attestation model means hiring a C3PAO is not required. However, if your organization plans to handle CUI or bid on contracts that include CMMC Level 2 requirements, a C3PAO assessment becomes mandatory.  

That said, just because a C3PAO isn’t mandatory for Level 1 doesn’t mean you can’t seek outside help. Working with a C3PAO to come and independently assess your compliance to the 17 requirements in Level 1 can add assurance that you’re accurately self-attesting to meeting these controls. 

Getting started with CMMC Level 1 

Achieving CMMC Level 1 compliance is an important milestone for organizations looking to work with the DoD. To do this, you will report your self-attestation score directly to the DoD through its Supplier Performance Risk System (SPRS). The SPRS website offers tutorials and walkthroughs to guide you through the process.  

By understanding the requirements, properly conducting and reporting your self-assessment, and seeking expert guidance when needed, your business can stay compliant and position itself as a reliable partner in the defense supply chain. 

Ready to begin your CMMC journey? Reach out today to learn more.